A word of warning to those of you who purchase a Samsung Galaxy S5: your cool new phone’s fingerprint scanner might be a big convenience, but it’s not actually a great way to secure your phone. It can be fooled with a fake fingerprint, just like the iPhone 5S.

That shouldn’t come as a shock. Just about any fingerprint scanner that works the way the Samsung one does can be fooled, as SRLabs has previously shown. If you’ve got access to a good quality camera and the right raw materials, you can whip up a stand-in fingerprint that will let you unlock a swipe-secured Galaxy S5 with relative ease.

Granted, you also need to have left a fairly clear print from the finger you’ve enrolled on your Galaxy S5 for a thief to copy. On a heavily-used smartphone, that’s not always going to be possible — but it could be. Still, it’s not the fact that the S5’s scanner can be defeated with a fake print that’s alarming here. It’s Samsung’s poor software setup.

In its current form, the software on the Galaxy S5 doesn’t care how many times you swipe a finger. That means it’ll give you an unlimited number of tries to authenticate with a swipe, which is a huge security problem. Something needs to happen after repeated failures, like a 1-hour lock or even a Blackberry-esque device wipe… but it doesn’t. You can just power cycle and keep on swiping.

That makes the Galaxy S5 fingerprint scanner a terrible way to protect sensitive apps, like the PayPal app. As SRLabs demonstrates, with a fingerprint as the only credential in use it’s trivial to swipe to unlock, launch the app, and then swipe again to initiate a transfer.

Granted, there’s much more at risk than your PayPal balance when a thief steals your phone. Access to your email and Facebook accounts, for example, provide valuable tools that could allow the same thief to gain access to online banking or defraud your friends and family.

Two things need to happen here. One, Samsung needs to update the Galaxy S5’s software so that repeated swipes are handled the same way repeated failures of any other authentication type are. Two, app developers need to utilize a second check. PayPal shouldn’t assume a user’s fingerprint is secure enough to re-authorize simply with a second swipe. Force a PIN creation or ask for a code word. Relying on a single factor when a person’s finances are being protected is just foolish.